Presently, computer users throughout the world are plagued by a widespread problem of malware, which affects not only computers running MS Windows versions, but also other less popular platforms. Malware is becoming increasingly more sophisticated, forcing producers of anti-malware software to continually find new approaches for detecting and removing malware programs.
Besides conventional methods of detection, such as digital signature checking, and utilizing emulator programs, other technologies being used include systems for intrusion detection or intrusion prevention that control programs and maintain whitelists of trusted applications.
Of particular concern are malware programs, known as rootkits, which, to date, have not been effectively manageable using conventional security measures. These programs are able to conceal tracks of their existence in computer systems using techniques such as hijacking administrator (or higher-level) privileges. Such programs are difficult to detect using known antivirus techniques because known techniques have limited ability to see objects that are hidden, such as hidden files, hidden processes, or hidden registry entries, for example.
To conceal their existence, rootkits utilize various methods of intercepting system functions, such as intercepting, i.e., hooking, and changing the information to be returned in response to program function calls. For example, a rootkit may detect a program function call that requests certain registry entries and, instead of returning those actual registry entries, the rootkit returns a modified or reduced list of registry entries to the calling program.
It should be noted that, besides the traditional notions of rootkits being malware, some may be used for legitimate applications, such as copy protection techniques. Known methods of detecting rootkits involves creating specific procedures corresponding to individual rootkits (such that operation of the rootkit could be bypassed, or to interfere with the system function intercepts that the rootkit uses). These methods present an intensive burden for security program developers, who struggle with keeping up with the ever-expanding advance of malware.
Another approach, such as the one disclosed in U.S. Pat. App. Pub. No. 2007/0078915 (Gassoway) involves running a separate detector in kernel space that bypasses some of the operating system's kernel code that may have been compromised by a rootkit. If information about the computer system is requested through both, the compromised kernel code, as well as through the separate detector, any differences between the separate results may indicate a rootkit's presence. This approach provides a means for detecting rootkit without a priori knowledge of specific existing rootkits; however, the separate detector itself may be compromised by rootkit-like malware targeting the specific security technique.
In addition, it is contemplated that in the near future, rootkits or rootkit-like malware may target other parts of a computer system that are not equipped to detect such malware.
Accordingly, improved techniques for effective rootkit detection that overcome these, and other, challenges is needed.